Aegix Privacy Policy

Aegix Platform — Safety and Incident Management

Authoritative source: This customer-facing policy is derived from doc/compliance/privacy-policy-operational.md, Aegix's internal operational privacy posture. That document is the single source of truth for how the product and backend actually handle personal information. Any discrepancy resolves in favor of the operational policy; Legal updates this document to match.

Harmonization baseline (2026-04-22):

Aegix applies the strictest broadly-applicable US privacy standard (CCPA/CPRA) nationwide. A thin state-delta layer in state-privacy-deltas.md handles additional obligations in VA / CO / CT / UT / TX / OR, plus K-12 supplements for NY (§ 2-d / 8 NYCRR 121), IL (SOPPA), NJ (SOPA), NH (RSA 189).

K-12 student data is additionally subject to FERPA. Aegix operates as a "school official" under 34 CFR § 99.31(a)(1)(i)(B), formally designated in each LEA contract per runbooks/ferpa-school-official-designation.md.

DSAR acknowledgment SLA is 5 business days; full response ≤ 45 calendar days; NY § 2-d DSARs respond within 30 calendar days. Procedure: runbooks/ccpa-dsar.md.

Subprocessor list: subprocessor-list.md. Changes trigger the 30-day LEA advance-notice clock under SDPC v3 Article III + NY EdLaw § 2-d Part 121.3.

Cryptographic posture: FIPS 140-3 approved algorithms only, per ADR 098 §1. No long-lived AWS IAM user access keys (workload identity only).

Welcome to Aegix Global LLC ("we," "us," or "our"), operating under various trade names, including Aegix. This privacy notice describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), including when you download and use our Aegix applications (Aegix One, Aegix AIM, and Aegix SMS), interact with the Aegix platform on behalf of an organization that has authorized your account, or engage with us in related ways.

Scope of This Privacy Policy

The Aegix platform serves organizations operating physical sites across multiple sectors — schools and school districts, colleges and universities, healthcare facilities, federal / state / local government agencies, corporate campuses, religious institutions, summer camps, sports and entertainment venues, and similar — that need real-time safety communication, incident management, and emergency-response coordination. The platform consists of three client applications and a shared services layer: Aegix One provides personal safety notifications, check-in status, and communication tools. Aegix AIM serves on-site staff and emergency responders (law enforcement, fire, EMS, and PSAP / public-safety dispatch personnel) with incident management, indoor/outdoor mapping, and real-time coordination. Aegix SMS handles site administration, integrations with the authorizing organization's existing systems (including, where applicable, K-12 Student Information Systems), reunification management, visitor management, and on-site administrative functions. All three applications share a common platform infrastructure, data layer, and security controls.

Universal privacy posture (applies regardless of sector)

This Privacy Policy applies to all end users of the Aegix platform regardless of the sector in which the authorizing organization operates. Aegix processes personal information in compliance with the California Privacy Rights Act ("CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Oregon Consumer Privacy Act ("OCPA"), and other applicable US state comprehensive privacy laws. Geolocation tied to identified individuals and other sensitive personal-information categories are processed under the heightened protections those laws require. Data minimization, purpose limitation, security-of-processing, and breach-notification commitments described later in this Policy apply to every Authorized Customer relationship.

Sector-specific applicability

In addition to the universal posture, the Aegix platform supports sectors with specific regulatory obligations. The sections that follow describe sector-specific privacy commitments that apply only when the authorizing organization (the "Authorized Customer") falls within the relevant sector:

K-12 education (Local Education Agencies, charter networks, private K-12 schools, K-12-serving organizations) — see the "K-12 Authorized Customers" section.
Higher education (colleges, universities, post-secondary institutions) — see "Higher-Education Authorized Customers."
Government (federal, state, local, tribal, military) — see "Government Authorized Customers."
Healthcare (hospitals, clinics, health systems, accredited care providers) — see "Healthcare Authorized Customers."
Enterprise, religious, sports, entertainment, summer-camp, and other site-operating organizations — see "Other Site-Operating Authorized Customers."

K-12 Authorized Customers

The provisions in this section apply when the Authorized Customer is a K-12 Local Education Agency, charter network, private K-12 school, or other K-12-serving organization that processes student records and education records.

FERPA Compliance

Aegix Global LLC acts as a "school official" under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) and is authorized to access, process, and maintain education records on behalf of Local Education Agencies (LEAs). Our relationship with each LEA is governed by a written Student Data Privacy Agreement (SDPA) that specifies:

Student data is processed solely for contracted educational purposes (school safety, incident reporting, threat assessment)
Student education records are maintained with appropriate access controls, encryption, and audit logging
Parents and guardians retain rights to inspect student records and request corrections under 34 CFR § 99.3-99.4
Student data will not be disclosed to third parties except as required by law or as authorized by the LEA
Upon request or termination of service, student data will be returned to the LEA or securely destroyed in accordance with established data retention schedules

COPPA Compliance for Users Under 13

Aegix platform may be used in school environments where students under age 13 are present. Aegix complies with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501-6506) as follows:

Student data collection is limited to information necessary for contracted school safety purposes
Parent/guardian consent is obtained through the LEA's enrollment and service authorization processes
No student data is shared with third parties for commercial purposes, targeted advertising, or marketing
Student data is not used to build behavioral profiles or to create commercial inferences about children
Parents may request access to, correction of, or deletion of student data by contacting privacy@aegix.global

NY Education Law § 2-d Compliance

For students in New York State schools, Aegix platform complies with Education Law § 2-d, which restricts the collection and use of personally identifiable information:

Aegix shall not sell or rent student data for any purpose
Aegix shall not use student data for targeted advertising or behavioral profiling

To the extent Aegix platform incorporates adaptive or customized learning features, use of Student Data and Teacher Data for such purposes is permitted under NH Exhibit G, Item 8 and is not considered a commercial or marketing use. Any adaptive learning features operate solely to improve educational outcomes within the scope of the contracted services.

Aegix shall not create an identification profile of a student or track online activity for marketing purposes

Aegix does not use radio frequency identification (RFID), Bluetooth Low Energy (BLE) beacons, near-field communication (NFC), or any similar radio-frequency technology to identify, locate, monitor, or track students or teachers. (NH Exhibit G, Item 12)

Aegix maintains security safeguards to protect student data from unauthorized access, use, or disclosure
Aegix provides clear notice to LEAs regarding the categories of student data processed and the purposes of such processing

Data Minimization and Student Privacy

Aegix applies data minimization principles to student information:

Student data collection is limited to information directly necessary for school safety purposes as defined in service agreements with LEAs
Student data is not aggregated, linked, or combined with data from other vendors or sources without explicit LEA authorization
Student behavioral data is retained according to schedules established by the LEA, typically 3-7 years for incident records, in compliance with state and federal retention requirements
Upon request by parents or the LEA, student data is securely deleted or redacted from Aegix systems
Aegix does not use student data for behavioral predictions, algorithmic profiling, or any purpose beyond the contracted school safety mission

Restrictions on Student Data Use

Aegix platform is committed to strict limitations on how student data is used:

No Sale of Student Data: Aegix does not sell, rent, or share student data for commercial purposes
No Targeted Advertising: Student data is not used to create targeted advertisements or marketing materials
No Third-Party Sharing: Student data is not disclosed to third parties except as required by law or as authorized by the LEA in writing
No Cross-Product Marketing: Student data from Aegix platform is not used to market other products or services to students or families
Limited Subprocessors: Any vendors with access to student data are contractually bound to the same restrictions and are listed in the SDPA

Student and Family Privacy Rights

Parents, guardians, and eligible students have the following rights regarding student data:

Right to Inspect: Parents and eligible students may request inspection of student records maintained by Aegix platform within 10 business days
Right to Correct: Parents and students may request correction of inaccurate or incomplete student records
Right to Delete: Parents may request deletion or redaction of student data in accordance with applicable law and LEA data retention policies
Right to Know: Parents have the right to know what categories of student data Aegix platform collects and how it is used
Right to Opt Out: Where permitted by law, parents may decline participation in data collection beyond minimum required for school safety
To exercise these rights, families should contact their LEA's data coordinator or submit requests to privacy@aegix.global

Student Data Privacy Agreement (SDPA)

Aegix Global LLC has executed Student Data Privacy Agreements with Local Education Agencies in the following states: Massachusetts, Maine, Colorado, Illinois, Iowa, Missouri, Nebraska, New Hampshire, New Jersey, New York, Ohio, Rhode Island, Tennessee, Vermont, Virginia, and Washington. Each SDPA specifies:

Scope of student data to be processed
Security and confidentiality obligations
Data retention and destruction schedules
Audit and compliance monitoring rights
Breach notification procedures
Data access and deletion rights

Higher-Education Authorized Customers

The provisions in this section apply when the Authorized Customer is a college, university, or other post-secondary educational institution.

FERPA. FERPA (20 U.S.C. § 1232g) applies to higher-education student records. Aegix acts as a "school official" with legitimate educational interest when processing student records on behalf of a higher-education Authorized Customer that has so designated Aegix in writing.
Adult students. The default user population at higher-education Authorized Customers is adult (18+); the COPPA-via-LEA enrollment flow is generally not applicable.
State student-data privacy laws. May apply where the Authorized Customer's enrollment includes minors (e.g., dual-enrollment programs, summer-camp programs, college-prep programs); applicability is determined per program.
Research data. The Aegix platform is not designed for processing research-subject data subject to the Common Rule (45 CFR 46) or analogous human-subjects protections. Higher-education Authorized Customers must not use the Aegix platform as a primary record system for research-subject data.

Government Authorized Customers

The provisions in this section apply when the Authorized Customer is a federal, state, local, tribal, or military government agency.

FedRAMP environment. The cloud infrastructure on which Aegix is hosted operates within Amazon Web Services environments authorized at the FedRAMP Moderate impact level. The Aegix Service itself is not FedRAMP-authorized as of the Effective Date; government Authorized Customers requiring full FedRAMP Moderate or High Service-level authorization should contact Aegix to discuss roadmap and scope.
FISMA. Aegix's security controls are aligned with NIST SP 800-53 Rev 5 in accordance with FISMA expectations for the Moderate impact level. Specific FISMA authorization requirements vary by agency; government Authorized Customers should engage Aegix on agency-specific authorization needs.
CJIS. Where the Authorized Customer is a law-enforcement agency or operates within a law-enforcement workflow that triggers Criminal Justice Information Services Security Policy obligations, the Authorized Customer is responsible for ensuring its use of the Service complies with CJIS requirements; Aegix will reasonably cooperate with CJIS-driven configuration and access-control needs.
FOIA / public-records laws. Government Authorized Customers may be subject to the Freedom of Information Act or analogous state public-records laws. Aegix will reasonably assist Authorized Customers with FOIA-driven data-export requests, subject to the executed contract and Aegix's confidentiality and security obligations.
Privacy Act of 1974 (federal agencies). Where a federal-agency Authorized Customer's use of the Service implicates a Privacy Act system of records, the Authorized Customer is responsible for ensuring the system-of-records notice (SORN) and routine-use disclosures appropriately scope Aegix processing.

Healthcare Authorized Customers

The provisions in this section apply when the Authorized Customer is a hospital, clinic, health system, accredited care provider, or other healthcare organization.

HIPAA / Protected Health Information ("PHI"). The Aegix platform is not designed to process PHI as a primary record system and is not HIPAA-authorized in its default configuration. Healthcare Authorized Customers must not transmit PHI through the Service unless and until a Business Associate Agreement ("BAA") is executed between Aegix and the Authorized Customer. Aegix will execute a BAA on request from a covered entity or business associate; contact legal@aegix.global.
Use after BAA execution. Once a BAA is in effect, the Authorized Customer is responsible for using the Service in HIPAA-compliant ways consistent with the BAA's terms. The BAA controls over this Privacy Policy on any matter relating to PHI.
State health-privacy laws. State health-privacy laws (including the California Confidentiality of Medical Information Act, Washington's My Health My Data Act, and analogous state regimes) may apply where the Authorized Customer collects health-adjacent data. The Authorized Customer is responsible for assessing applicability and configuring use accordingly.
Behavioral-health and substance-use records. Aegix is not designed for processing 42 CFR Part 2-protected substance-use treatment records or analogous behavioral-health regulated data. Healthcare Authorized Customers must not use the Aegix platform as a primary record system for those data categories.

Other Site-Operating Authorized Customers

The provisions in this section apply when the Authorized Customer is a corporate, religious, summer-camp, sports / entertainment venue, or other site-operating organization not falling within the K-12, higher-education, government, or healthcare sectors above.

Universal privacy posture (described above) applies in full.
The Authorized Customer is responsible for assessing and complying with sector-specific obligations applicable to its operations (e.g., state employment-privacy laws, religious-record protections, venue-specific licensing requirements). Aegix will reasonably assist with technical configuration to support those obligations as part of the executed Master Subscription Agreement.
Where the Authorized Customer's user population includes minors (e.g., a summer camp serving children under 13, a youth sports program), the K-12 / youth-serving provisions described above apply by analogy, including the requirement that the Authorized Customer administer parental consent under COPPA where applicable.

Safety Protocol Compliance Reporting

Aegix platform maintains comprehensive logging and reporting of safety protocol compliance. This includes:

Incident Report Completeness: Tracking whether school safety personnel complete all required fields in incident reports within regulatory timeframes
Policy Adherence: Monitoring adherence to school safety protocols and threat assessment procedures as defined in each LEA's safety plan
Response Time Metrics: Documenting response times for designated threat incidents, including time from report to threat assessment team activation
Training and Certification: Maintaining records of safety personnel training completion and certification status
Audit Trails: Generating detailed audit trails for all access to incident reports and student safety data
Compliance Dashboards: Providing LEA administrators with dashboards showing compliance metrics and improvement areas
Regulatory Reporting: Assisting LEAs with evidence for compliance with federal (FERPA, COPPA) and state (NY § 2-d, etc.) reporting requirements

Location Services and Digital 911 Routing

The Aegix Applications use device location to provide indoor and outdoor mapping, incident reporting, reunification check-in, and — for organizations that have enabled it — automated routing of alerts to public-safety dispatch services. Location is treated as "sensitive personal information" under the California Privacy Rights Act and as analogous "sensitive data" under the Virginia, Colorado, Connecticut, Texas, and Oregon comprehensive privacy laws, and is processed accordingly.

Current collection.

Foreground location: The Applications collect device location while you are actively using an Application that requires location (for example, when triggering an alert, viewing a map, or completing a reunification check-in). Aegix does not collect background location at this time.
Permission tier: On iOS, the Applications request the "While Using the App" location authorization. On Android, the Applications request ACCESS_FINE_LOCATION and, where a feature requires it, FOREGROUND_SERVICE_LOCATION.
User control: A user-level Location Services toggle in the Application's profile settings lets you turn location collection on or off for your account. When off, the Applications do not collect device location for that account, and features that depend on location will be unavailable until you turn the control back on.

Digital 911 Routing.

When an organization has enabled the Aegix Digital 911 Routing integration, an Aegix alert is forwarded to a certified public-safety dispatch provider for routing to the appropriate Public Safety Answering Point ("PSAP") or Emergency Communications Center. The current dispatch provider is RapidSOS; see the Subprocessor List for details.

What is forwarded today: For each alert, Aegix forwards to the dispatch provider the organization's published site address and main phone number, together with the alert type and timestamp. The data forwarded today is functionally equivalent to the Automatic Location Identification (ALI) and Automatic Number Identification (ANI) data that a 911 call placed from the organization's published landline would already provide.
What is not forwarded today: The Applications do not currently forward the reporter's individual device location, the reporter's name or account identifier, or any student personally identifiable information to the dispatch provider as part of Digital 911 Routing.
Per-organization gate: Digital 911 Routing is enabled by the organization that authorized your account — at that organization's discretion — not by Aegix and not by individual users. Not all organizations participate.
How to find out: To learn whether Digital 911 Routing is enabled for an organization that authorized your account, contact that organization's administrator or email privacy@aegix.global.
Direct 911: Digital 911 Routing supplements, but does not replace, your ability to contact 911 directly. In an emergency, contact 911 first.

Planned expansions.

The features and controls described in this section may change as Aegix releases new versions of the Applications. Aegix anticipates introducing the following capabilities in future releases, in addition to the current Digital 911 Routing data flow:

Forwarding the reporter's device location at the moment of an alert to the dispatch provider, in addition to the site address, so dispatchers can locate the reporter inside or near the site. This expansion will be controlled by you through a per-organization Location Sharing toggle in your profile, which will ship together with the device-location forwarding capability so the user-level control is available from the first release that includes the expanded data flow.
Background location collection for features that require it. When introduced, the Applications will request the iOS "Always" authorization and the Android ACCESS_BACKGROUND_LOCATION permission through the operating-system permission prompt, and will not collect background location until you grant that permission.
Additional Digital 911 Routing dispatch providers, including Motorola Solutions.

Before introducing any of the above, Aegix will (a) update this Privacy Policy; (b) refresh the corresponding Apple App Store "App Privacy" and Google Play "Data Safety" disclosures to match what the Applications actually do; (c) update the Subprocessor List and provide subscribing LEAs with the 30-day advance notice required under SDPC v3 Article III and NY Education Law § 2-d Part 121.3 to the extent those provisions are triggered by the expanded data category; and (d) provide in-Application notice and the operating-system permission prompts required for any expanded location-collection mode before that mode begins.

Website Visitors (aegix.global)

This section describes Aegix's data handling for visitors to the Aegix marketing website at https://aegix.global, separate from the platform / Application data flows described elsewhere in this Privacy Policy. The Aegix marketing website is a WordPress-hosted public-facing site used for marketing, product information, lead capture, and trust-center publication.

What we collect from website visitors. When you visit aegix.global, we collect the following categories of information:

Server logs and device data: IP address, browser type and version, referring URL, pages visited, time and duration of visits, UTM parameters and other query-string data appended to URLs.
Cookies and similar tracking technologies: We use cookies for analytics, advertising attribution, and live-chat / sales-tracking functionality. The full list of cookies, their purposes, retention periods, and the third parties they share data with is published in the Aegix Cookie Statement.
Form-submission data: When you submit a contact form, demo request, or newsletter signup, we collect the information you provide (typically name, work email, organization, role, and any free-text comments). This information is used to respond to your inquiry, schedule demos, and (where you have opted in) send you marketing communications.
Live-chat / sales-tracking interactions: The Aegix website embeds a Zoho SalesIQ widget that records visitor sessions and chat conversations for sales-follow-up purposes.

Third parties that receive website-visitor data. Through the cookies listed in the Cookie Statement, the following third parties may receive personal information from your visit to aegix.global:

Google (via Google Analytics 4 and Google Ads) — analytics aggregation and conversion tracking. Google may combine this data with other Google-collected signals to deliver targeted advertising on Google properties or partner sites.
Meta Platforms (via the Meta / Facebook Pixel) — conversion tracking. Meta may combine this data with other Meta-collected signals to deliver targeted advertising on Facebook, Instagram, and the Meta Audience Network.
Zoho Corporation (via Zoho SalesIQ) — live-chat and visitor-session storage for the duration described in the Cookie Statement.

CCPA / CPRA "sharing" notice. Under the California Privacy Rights Act and analogous state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Oregon OCPA, and others), Aegix's use of advertising cookies (Google Ads _gcl_au, Meta Pixel _fbp) constitutes "sharing" of personal information for cross-context behavioral advertising. You have the right to opt out of this sharing. To exercise that right:

Use the "Do Not Sell or Share My Personal Information" link in the website footer.
Configure your browser's Global Privacy Control (GPC) signal — Aegix honors GPC signals as opt-out-of-sharing requests, consistent with the California Attorney General's guidance.
Email privacy@aegix.global with your request.

Visitor-data retention. Server logs are retained for 90 days for security and operational purposes, then aggregated. Form-submission data is retained for the duration of the relationship plus 7 years (or shorter where required by applicable law) for sales, audit, and tax-record purposes. Cookie retention is described in the Cookie Statement.

Children. The Aegix marketing website is not directed to children. Aegix does not knowingly collect personal information from website visitors who are children under 13 outside of an LEA-administered enrollment context. The Aegix Applications (One, AIM, SMS) are used by K-12 students under the LEA's parental-consent and FERPA "school official" framework described elsewhere in this Privacy Policy; that framework does not apply to anonymous visits to the marketing website.

Distinct from platform data flows. Data collected from your visit to aegix.global is not linked to any student record, education record, or LEA-administered platform account. Aegix does not combine website-visitor cookies with platform-user account data.

NIST SP 800-53 Rev 5 Alignment

Aegix platform is designed in accordance with privacy controls from NIST SP 800-53 Rev 5 (Appendix J - Privacy Controls):

AP-1: Authority and Approval - Student data processing is authorized through executed SDPAs
AP-2: Accountability - Aegix maintains an inventory of student data categories and processing purposes
DI-1: Data Quality - Procedures ensure accuracy and completeness of student records
DI-2: Data Integrity and Manipulation - Controls detect unauthorized modification of student data
SA-8: Privacy Controls in System Design and Development - Privacy requirements are incorporated into AIM platform architecture
TR-1: Transparency - Aegix provides clear documentation of data practices to LEAs and families

Do United States Residents Have Specific Privacy Rights?

If you are a resident of California, Colorado, Connecticut, Utah, or Virginia, you are granted specific rights regarding access to your personal information. The following sections describe those rights.

What Categories of Personal Information Do We Collect?

We have collected the following categories of personal information in the past twelve (12) months:

Category	Examples	Collected
A. Identifiers	Contact details, real name, alias, postal address, telephone or mobile number, unique personal identifier, online identifier, IP address, email address, account name	YES
B. Personal information (Cal. Civ. Code § 1798.80(e))	Name, contact information, employment history (for staff users provisioned by an LEA)	YES
C. Protected classification characteristics under state or federal law	Gender, age, date of birth, race and ethnicity, national origin (when included in roster data imported by an LEA's SIS)	YES, where included in LEA-provided rostering data; not collected by Aegix from end users directly
D. Commercial information	Transaction history, purchase history, payment information	NO (Aegix does not collect end-user payment information; LEA billing is handled outside the platform)
E. Biometric information	Fingerprints, voiceprints, facial recognition templates	NO
F. Internet or other similar network activity	Browsing history, search history, online behavior, interest data, interactions with our and other websites, applications, systems, and advertisements	YES
G. Geolocation data	Device location during active use of safety features	YES
H. Audio, electronic, sensory, or similar information	Images, video, or call recordings created in connection with incident reporting, reunification, or emergency-response coordination	YES
I. Professional or employment-related information	Job title, role, department, work history (for staff users provisioned by an LEA)	YES, where included in LEA-provided rostering data
J. Education information	Student records and directory information processed under FERPA on behalf of the LEA, including roster data, reunification status, incident-report context tying a student to an event, and other student-tied operational data	YES — Aegix processes Education Information as a "school official" under FERPA 34 CFR § 99.31(a)(1)(i)(B), governed by the executed SDPA with each LEA
K. Inferences drawn from collected personal information	Inferences drawn from any of the above to create a profile or summary about an individual's preferences and characteristics	NO
L. Sensitive personal information (CPRA category)	Geolocation precise enough to identify a student's room or position; Education Information tied to identified students; account credentials	YES — Aegix processes geolocation tied to identified users during active alerts and Education Information tied to identified students; treated as "sensitive personal information" under CPRA and as analogous "sensitive data" under VCDPA, CPA, CTDPA, TDPSA, OCPA, and applicable K-12 supplements

California Residents - CCPA Privacy Notice

California residents have specific rights under the California Consumer Privacy Act (CCPA):

Right to request deletion of personal information
Right to know what personal information is collected and how it is used
Right to non-discrimination for exercising privacy rights
Right to opt out of sale or sharing of personal information
To exercise these rights, visit aegix.global/data-request or email privacy@aegix.global

Colorado Residents - CPA Privacy Rights

Colorado residents have specific rights under the Colorado Privacy Act (CPA):

Right to be informed whether personal data is being processed
Right to access your personal data
Right to correct inaccurate personal data
Right to delete your personal data
Right to opt out of targeted advertising, data sales, and profiling
To exercise these rights, email privacy@aegix.global or visit aegix.global/data-request

Connecticut Residents - CTDPA Privacy Rights

Connecticut residents have specific rights under the Connecticut Data Privacy Act (CTDPA):

Right to be informed whether personal data is being processed
Right to access and correct personal data
Right to delete personal data
Right to opt out of targeted advertising and profiling
To exercise these rights, email privacy@aegix.global or visit aegix.global/data-request

Utah Residents - UCPA Privacy Rights

Utah residents have specific rights under the Utah Consumer Privacy Act (UCPA):

Right to be informed whether personal data is being processed
Right to access personal data
Right to delete personal data
Right to opt out of targeted advertising and data sales
To exercise these rights, email privacy@aegix.global or visit aegix.global/data-request

Virginia Residents - VCDPA Privacy Rights

Virginia residents have specific rights under the Virginia Consumer Data Protection Act (VCDPA):

Right to be informed whether personal data is being processed
Right to access, correct, and delete personal data
Right to opt out of targeted advertising, data sales, and profiling
Right to appeal a decision declining your request
To exercise these rights, email privacy@aegix.global or visit aegix.global/data-request

How Can You Contact Us About This Notice?

If you have questions or concerns about this privacy policy, please contact us at:

Email: privacy@aegix.global

Mail: Aegix Global LLC, 94 Lone Hollow Dr., Sandy, UT 84092, United States

How Can You Review, Update, or Delete Your Data?

To request access, correction, or deletion of your personal information, please visit aegix.global/data-request. For student data requests, families should contact their school district's data privacy coordinator.

Document Version: 2.0 (Enhanced with K-12 Education Data Processing)

Last Updated: April 2026

Next Review: April 2027

Appendix: Vendor Compliance Documentation References

The following vendor documentation provides supporting evidence for the compliance claims and technical controls referenced in this document. These resources should be reviewed periodically to ensure alignment with current vendor certifications and capabilities.

Amazon Web Services (AWS)

AWS Compliance Programs: https://aws.amazon.com/compliance/programs/
AWS FERPA Compliance: https://aws.amazon.com/compliance/ferpa/
AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
AWS Artifact: https://docs.aws.amazon.com/artifact/latest/ug/what-is-aws-artifact.html

Note: AWS compliance reports (SOC 2 Type II, ISO 27001) are available for download through AWS Artifact in the AWS Management Console. Contact the CPTO for access credentials.